open() syscall and success=0 question
Steve Grubb
sgrubb at redhat.com
Tue May 13 14:46:10 UTC 2008
On Tuesday 13 May 2008 10:36:58 Keith Kaple wrote:
> Can you ellaborate a little on EPERM vs. EACCES?
>
> Say a normal user tries to cp /etc/passwd and gets "permission denied" in
> the shell, will exit=-EPERM or -EACCESS?
According to man 2 open, both could be returned for a permission error. strace
tells us this, though:
open("/etc/shadow", O_RDONLY) = -1 EACCES (Permission denied)
So, for that scenario, you want to also have a rule of:
auditctl -a exit,always -S open -F exit=-EACCES
> I assume there will be an entry for both if perhaps success=0 alone is
> used..
Yes, and there will be one for any ENOENT and a host of other failed returns.
You will need 2 rules to cover both permission denied return codes.
-Steve
More information about the Linux-audit
mailing list